Blog

Victor is a full stack software engineer who loves travelling and building things. Most recently created Ewolo, a cross-platform workout logger.

Local proxy using cntlm

In a lot of organizations, internet access is controlled via a proxy that most likely also requires authentication. Rather than provide your username and password to every piece of software (which may or may not store them securely), we can setup a local proxy server that securely stores the credentials for us and provides an easy url with which the internet can be accessed.

Enter cntlm, an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy. In this article we setup cntlm on windows as a local proxy servcice. Note that cntlm is not windows specific however and that its essential purpose is to enable using a windows proxy requiring NTLM authentication when using a non windows machine!

Give me the real thing

The first order of business is to install cntlm from the downloads page. Next head to C:\Program Files\Cntlm (or C:\Program Files (x86)\Cntlm). Here we will need to modify cntlm.ini but it is a restricted file so open up a text editor with administrative privileges and open the cntlm.ini file manually. Here we can configure the username, domain and proxy settings. Leave the authentication settings as is for the moment.

#
# Cntlm Authentication Proxy Configuration
#
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
#
Username  snoop
Domain    snoopsrealm
    
# List of parent proxies to use. More proxies can be defined
# one per line in format :
#
Proxy     proxy.snoop.com:8080

# List addresses you do not want to pass to parent proxies
# * and ? wildcards can be used
#
NoProxy   localhost, 127.0.0.*, 10.*, 192.168.*, *.snoop.com

Next up open up a console with administrator privileges (cmd.exe) and navigate to where the cntlm exe is located. Here we will test our proxy configuration and generate the credentials that are required to set up the proxy service.

C:\Program Files (x86)\Cntlm>cntlm.exe -I -M http://google.com
      2 [main] cntlm 17484 find_fast_cwd: WARNING: Couldn't compute FAST_CWD pointer.  Please report this problem to
the public mailing list cygwin@cygwin.com
cygwin warning:
  MS-DOS style path detected: C:\Program Files (x86)\Cntlm\cntlm.ini
  Preferred POSIX equivalent is: /Cntlm/cntlm.ini
  CYGWIN environment variable option "nodosfilewarning" turns off this warning.
  Consult the user's guide for more details about POSIX paths:
    http://cygwin.com/cygwin-ug-net/using.html#using-pathnames
Password:
Config profile  1/4... Credentials rejected
Config profile  2/4... OK (HTTP code: 301)
----------------------------[ Profile  1 ]------
Auth            NTLM
PassNT          9B1D4583333333333333333333314A2F
PassLM          992B29F333333333333333333343A5C7
------------------------------------------------

What has happened above is that we tried connecting to http://google.com (note the non https connection) and cntlm figured out what authentication method the proxy supports and provided us with the credentials we should use. Thus, we can copy the Auth, PassNT and PassLM lines into cntlm.ini:

# NOTE: Use plaintext password only at your own risk
# Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
# command sequence to get the right config for your environment.
# See cntlm man page
# Example secure config shown below.
# PassLM          1AD35398BE6565DDB5C4EF70C0593492
# PassNT          77B9081511704EE852F94227CF48A793
### Only for user 'testuser', domain 'corp-uk'
# PassNTLMv2      D5826E9C665C37C80B53397D5C07BBCB
Auth            NTLM
PassLM          992B29F333333333333333333343A5C7
PassNT          9B1D4583333333333333333333314A2F

Once the authentication is copied over, we can start the cntlm service via net start cntlm in the console. This fires up a local proxy server running on http://localhost:3128. We can now test connecting to the internet using this proxy. Note that the command to stop the cntlm service is net stop cntlm. A few software configurations are provided below:

  • Bash: environment variables http_proxy and https_proxy. You can set up environment variables via windows by right clicking on My Computer, Properties -> Advanced -> Environment Variables -> New User Variables
  • Git: git config --global http.proxy="http://localhost:3128" and a similarly configured https.proxy. You most likely also need git config --global http.strict-ssl=false.
  • Npm: npm config set proxy http://localhost:3128 and a similarly configured https-proxy. Similarly strict-ssl false.

Finally note that if you are running a virtual machine on windows via virtualbox then you can use the proxy running on the host machine as well. Simply set the proxy to use http://10.0.2.2:3128, where 10.0.2.2 is generally the IP of your Windows host.

Happy proxying!

HackerNews submission / discussion

Back to the article list.